Package: diaspora-common Version: 0.6.0.0+debian5 Severity: serious Hi Pirate,
I believe this is a security hole, but will not affect every user of the package, hence why I have set it to Severity: serious. During the debconf setup, you are asked (if twitter etc are selected) for your Twitter Key and Twitter Secret (and likewise for the other services). (It is not immediately clear what these mean; the debconf questions could be improved on this point, I guess. But that's not the focus of this bug report.) The secret (and possibly the key as well) should not be world-readable, but they are stored in the world-readable file /var/cache/debconf/config.dat. They (or at least the Secret) need to be flagged as being passwords in the template file (Type: password rather than Type: string). In addition, these data are then stored in the configuration file /var/lib/diaspora-common/diaspora.conf However, this file is also world-readable and needs to be readable by only those system users who need to be able to have access to this data (perhaps the diaspora user or group www-data?). Best wishes, Julian -- System Information: Debian Release: stretch/sid APT prefers jessie APT policy: (500, 'jessie'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages diaspora-common depends on: ii adduser 3.115 ii bc 1.06.95-9+b2 ii ca-certificates 20161130 ii curl 7.51.0-1 ii dbconfig-mysql 2.0.7 ii debconf [debconf-2.0] 1.5.59 ii default-mysql-server 1.0.1 ii exim4 4.88-2 ii exim4-daemon-light [mail-transport-agent] 4.88-2 ii lsb-base 9.20161125 ii mariadb-server-10.0 [virtual-mysql-server] 10.0.28-2 ii net-tools 1.60+git20161116.90da8a0-1 ii nginx-full [nginx] 1.10.2-3 ii nodejs 4.6.1~dfsg-1 ii postgresql 9.6+178 ii rake 10.5.0-2 ii redis-server 3:3.2.6-1 ii ruby 1:2.3.3 ii ruby-rspec 3.5.0c3e0m0s0-1 ii ruby2.1 [ruby-interpreter] 2.1.5-4 ii sudo 1.8.19-1 ii ucf 3.0036 diaspora-common recommends no packages. Versions of packages diaspora-common suggests: ii easy-rsa 2.2.2-2 -- debconf information excluded